The hack took place at the start of the month when FEIB officials discovered fraudulent attempts to wire as much as $60 million to foreign banks located in Sri Lanka, Cambodia, and the United States.

Later in the week, Sri Lankan officials announced the arrested of an individual who withdrew $195,000 and later attempted to cash in another $52,000 from money that arrived from Taiwan into three local accounts at the Bank of Ceylon. A second individual was arrested a day later.

The incident caught the eye of international media because it was the latest in a string of bank heists that relied on crooks using malware to take over a bank's SWIFT account and use the SWIFT inter-banking transactions system to move money to new places.

Hack most likely carried out by Lazarus Group

Bank heists using SWIFT accounts have been taking place for more than a year and a half and have affected banks in Bangladesh, Uruguay, Vietnam, Poland, Ukraine, the Philippines, Mexico, and more.

Some of these attacks have been linked to the techniques, tactics, and procedures (TTPs) used by the Lazarus Group. Malware used in some bank heists were linked to previous cyberespionage operations like Operation Blockbuster.

A report released today by BAE Systems links malware used in the FEIB heist to past SWIFT attacks, more precisely in the Poland and Mexico hacks.

In total, researchers identified nine different malware samples used in the FEIB hack. Three of these contained links and similarities to past Lazarus Group malware, while four were Hermes ransomware samples.

How the hack happened

Merging information from BAE's report published today and a report from last week by McAfee, attackers appear to have used spear-phishing campaigns to compromise computers inside FEIB's network.

After they mapped the bank's network and identified computers that had access to sensitive systems, they deployed custom-built malware on October 1.

Two days later, on October 3, Lazarus used an employee's credentials to access the bank's SWIFT account and send money to different banks in Sri Lanka, Cambodia, and the US. Experts say the transactions were labeled with the MT103 and MT202COV transaction codes, but the MT202COV codes were used incorrectly which allowed the bank to detect the breach.

Attackers deployed ransomware after breach was discovered

Once FEIB detected the fraudulent transactions, Lazarus operators deployed the Hermes ransomware on the bank's network to delay investigations and encrypt and destroy evidence of their intrusion.

The ransomware they used was identified as Hermes, a ransomware strain discovered this past February, which was later updated to version 2.0.

Hermes was a mundane ransomware strain, but which got some press coverage when Emsisoft researcher Fabian Wosar decided to reverse it in a live stream on YouTube. A decrypter was later published and is available for download from here or here. Hermes v2 appeared soon after as a response and is currently not decryptable.

In the FEIB heist, researchers noted that the ransomware deployment was dodgy. The ransomware they used didn't appear to be an original Hermes ransomware strain, but a modified version.

The Hermes strain used on FEIB's network did not change the infected computer's wallpaper and didn't leave a flashy ransom note behind, like the original Hermes note, portrayed below.

Instead, the Hermes version used in the FEIB attacks only showed a popup with the text "finish work" and left a file named "UNIQUE_ID_DO_NOT_REMOVE" in every directory.

Overall, the bank heist fits perfectly in Lazarus Group's classical mode of operation, and follow the same pattern of past SWIFT-based attacks. The good thing is that banks are getting better and spotting illegal transactions and reversing the transactions.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.

Comments

Makes sense that N. Korea would want to develop ways to attack financial systems (being under stricter sanctions), or to refine their social engineering skills. Also, a target list that China wouldn't mind.

DPRK is cash strapped, no doubt; but how do these attacks get significant funds to N. Korea? Are they using their agents abroad to cash out, use them to entice locals to do that? Either way it risks assets worth more to DPRK than amounts mentioned.

Maybe their selling dumbed-down versions to 3rd party groups (the way the USSR would sell knock-off quality tanks to their friends). That's one way to develop, test and refine components of a cyber-weapons system, without piddling away the shock and awe potential before they are ready to use it.

Still, it's ever more a case of "seems, looks like, fits the pattern..." whenever state sponsorship is indicated. If some agency has solid proof it's DPRK, they're keeping that information to themselves.